The State of Washington has officially joined the national conversation on data privacy regulation. On January 17, 2019, the Washington Senate proposed SB 5376, the Washington Privacy Act (WPA), which would impose responsibilities on companies to protect the privacy of “personal data.” The bill’s substantive provisions closely mirror those found in the European Union’s General Data Protection Regulation (GDPR), making the potential legislation one of the most privacy protective in the United States.
Applicability of the WPA
The WPA limits the jurisdictional scope of the law to entities that conduct business in the State of Washington or produce products or services that are intentionally targeted to residents of Washington, which: (1) control or process data of 100,000 or more consumers; or (2) derive over 50% of their gross revenue from the sale of personal information and process or control personal information of 25,000 consumers or more.
The WPA could consequentially have a far-reaching impact not only on companies that are physically present or incorporated within the state of Washington, but also companies outside the state that intentionally solicit the state’s residents for business.
Consumer Rights Under the WPA
Section 6 of the WPA highlights various rights the WPA grants Washington consumers. These rights include but are not limited to the following:
- Request for access: a consumer may request a data controller to confirm that consumer data is being processed and who the data is being sold to. Controllers must also provide a copy to consumers of the personal data being processed.
- Right to correction: a consumer may request the controller to correct inaccurate personal data concerning themselves.
- Right of deletion: a consumer may request the controller to delete the consumer’s personal data without undue delay only when the personal data is no longer necessary in relation to the purpose for which it was collected, or the consumer withdraws consent to data processing.
- Right of restriction: a consumer may request the controller to restrict processing if the consumer contests the accuracy of the personal data, the processing is unlawful, or in other limited circumstances.
- Right of transfer: a consumer may request the controller send the consumer’s personal data in a “structured, commonly used, and machine-readable format” in the case that the consumer’s personal data is required for the performance of a contract for which the consumer is a party.
- Right of objection: a consumer has the right to object to their data being processed for marketing or for any other purpose as long as the organization processing the data does not have a justifiable and legitimate grounds for the data processing.
- Protections against profiling: a controller may not deny services or support based on profiling.
After receipt of a consumer request, the controller has 30 days to fulfill that request. The 30-day deadline may be extended by 60 days, granting the controller a total of 90 days to respond. However, the controller must inform the consumer of any extension 30 days after receiving the request. If a consumer makes the request by electronic means, the controller must provide the information in electronic means.
Enhanced Privacy Notices
The WPA requires controllers to be transparent and accountable for their processing of personal data by updating their privacy notices in order for them to reflect:
- Categories of personal data collected;
- The purpose for which the personal data is used;
- The rights consumers may exercise pursuant to the WPA;
- The categories of personal data the controller shares with third parties; and
- The categories of third parties with whom the controller shares personal data.
Furthermore, if a controller sells personal data to data brokers for marketing purposes, including targeted marketing and profiling, it must disclose such processing as well as the manner in which a consumer may exercise the right to object to the sale of personal data.
Liability and Enforcement
The WPA clearly indicates that it does not serve as the basis for a private right of action. Instead, a violation of the WPA is treated as an unfair or deceptive act in trade or commerce. Such a violation is to be enforced by the attorney general’s office, which may bring an action in the name of the state or on behalf of persons residing in the state. Controllers and/or processors must cure WPA violations within 30 days of receiving notice of non-compliance from the attorney general. Violators are subject to injunctions and civil penalties of $2,500 for each violation or $7,000 for each intentional violation.
Impact of the WPA
With the California Consumer Privacy Act (CCPA) set to take effect on January 1, 2020, and the WPA to be voted on soon by the Washington Senate, states are taking matters into their own hands to pursue comprehensive privacy legislation. Congress is concurrently considering a federal privacy framework. Senator Marco Rubio recently introduced the American Data Dissemination Act (ADD), a federal data privacy bill that would preempt all state laws aimed at policing data privacy. The bill is yet to be voted on. In January of 2019, Senators Klobuchar (D-MN) and Kennedy (R-LA) reintroduced the Social Media Privacy and Consumer Rights Act. The bill is aimed at giving consumers more protections on social media platforms such as Facebook or Instagram. Among other things, the bill gives consumers the right to opt out of data collection by third parties on social media platforms.
Whether the U.S. ultimately regulates data privacy at the federal or state level, or both, it’s abundantly clear that there is widespread support for privacy legislation. The real question is how broadly applicable and onerous these laws will be.
* Ali Najaf contributed to this post.
Nick is a Partner at M&S where he leads the firm’s Compliance practice areas. He brings more than a decade of experience helping clients understand and comply with federal and state privacy, advertising, and telemarketing laws and regulations.